Skip to content

July 8, 2008

1

TrendMicro Appliance Randomly Blocking

I’ve been fighting an odd issue and finally found a resolution with the assistance of TrendMicro’s support.

A few users (six out of 22k) reported that they weren’t getting email from anyone outside of the network. A few test messages from my web mail accounts (Gmail, Hotmail, and my own domain) revealed an interesting issue.

These few accounts were getting this error:

Hotmail

Reporting-MTA: dns;blu0-omc1-s38.blu0.hotmail.com
Received-From-MTA: dns;BLU119-W30
Arrival-Date: Thu, 3 Jul 2008 06:02:56 -0700

Final-Recipient: rfc822;[deleted@for.security]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp;554 5.7.1 : Recipient address rejected: Access denied

GMail

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

[deleted@for.security]

Technical details of permanent failure:
PERM_FAILURE: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 554 554 5.7.1 < [deleted@for.security]>: Recipient address rejected: Access denied (state 14).

I tested SMTP connectivity to the Exchange server by telnetting to the device from outside and inside the network to attempt to narrow down the block. Our Exchange server is protected by TrendMicro ScanMail, and we utilize a TrendMicro Interscan Messaging Security Appliance on our DMZ to provide more spam and virus protection.

I narrowed it down to the IMSA appliance but couldn’t locate the problem in the logs. The MTA logs simply stated Access Denied… not very helpful. So after a short wait on hold, TrendMicro support asked me to deactivate the Network Reputation Services, a learning adaptive IP filtering system that blocks spam senders before they finish connecting.

I later found that the NRS is configured on the appliance AND on TrendMicro’s Email Reputation Service website. lets you create an account using your IMSA’s activation code. Then you can log in and configure the “aggressiveness” of the NRS filters.

If you’ve already laid out the cash for the IMSA, get your email servers registered on this site to make sure they don’t get blocked or at least you’ll have a higher rating with other Trend users on the internet.

It was a frustrating problem that I hope nobody else has, but if they do I hope you find this helpful. If this doesn’t fix it, give Trend a call. Enterprise wait time was less than a minute and had me up and running in less than 10 minutes.

1 Comment
  1. Jul 28 2008

    I just wanted to thank you for writing this up. I am experiencing something very similar to this issue and come to find out it was a configuration issue with our Trend InterScan Messaging Hosted Security, very similar to IMSA, but hosted on Trend’s network. Our issue was that people at our branch offices that belong to a distribution group were not getting any emails from their respective groups and when I went and tested this from my Gmail account I got a “bounce-back” just like the one you mentioned.

    With our IMHS service we have a utility that runs on server and every couple of hours it synchronizes with our Active Directory. This builds a list of Approved Recipients and rejects emails sent to any other addresses in our domain. Well, for whatever reason the Sync utility is ignoring all of our distribution groups. I can manually add a distibution group and everything is kosher. I may contact Trend and see what’s up with not syncing distribution groups.

Comments are closed.

%d bloggers like this: